On Fri, 20 Jun 2003, Bob Lenaerts wrote: > Hi all, > I have this as output > What can I do about that ? You could try and manually recover, however your wasting your time.
The exploit (the way they got in) is still going to be there, and what over backdoors exist on the system. Really you'll want to if possible get an image of the system for forensic analysis to see how they got in, to help develop the corrective action to stop this hapening again. Discconnect the box, rebuild from known good, patch, harden, secure, reconnect. > Can I for ex. delete Ifconfig , and reinstall ifconfig from a pkg ? > Checking `ifconfig'... INFECTED > Checking `login'... INFECTED > Checking `pstree'... INFECTED > Possible t0rn v8 (or variation) rootkit installed > Searching for Showtee... Warning: Possible Showtee Rootkit installed > Checking `lkm'... You have 4 process hidden for ps command > Warning: Possible LKM Trojan installed Looks like they've infected a far set of files. Strange that netstat wasn't infected, however it looks like they used the Kernel Module based rootkit to hide processes etc. Best of luck Gareth _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
